“Sina Weibo (NASDAQ: WB) is a Chinese microblogging (weibo) website. Akin to a hybrid of Twitter and Facebook, it is one of the most popular sites in China, in use by well over 30% of Internet users, with a market penetration similar to the United States’ Twitter. It was launched by SINA Corporation on 14 August 2009, and has 503 million registered users as of December 2012. About 100 million messages are posted each day on Sina Weibo. In March 2014, Sina Corporation announced a spinoff of Weibo as a separate entity and filed an IPO under the symbol WB. Sina retains 56.9% ownership in Weibo. The company began trading publicly on April 17, 2014. “Weibo” (微博) is the Chinese word for “microblog”. Sina Weibo launched its new domain name weibo.com on 7 April 2011, deactivating and redirecting from the old domain, t.sina.com.cn to the new one. Due to its popularity, the media sometimes directly uses “Weibo” to refer to Sina Weibo. However, there are other Chinese microblogging/weibo services including Tencent Weibo, Sohu Weibo and NetEase Weibo.” (Wikipedia)

Weibo’s OAuth 2.0 system is susceptible to Attacks. More specifically, the authentication of parameter “&redirct_uri” in OAuth 2.0 system is insufficient. It can be misused to design Open Redirect Attacks to Weibo.

At the same time, it can be used to collect sensitive information of both third-party app and users by using the following parameters (sensitive information is contained in HTTP header.),

“&response_type”=sensitive_info,token…

“&scope”=get_user_info%2Cadd_share…

It increases the likelihood of successful Open Redirect Attacks to third-party websites, too.

When a logged-in Weibo user clicks the URL ([1]) above, he/she will be asked for consent as in whether to allow a third-party website to receive his/her information. If the user clicks OK, he/she will be then redirected to the URL assigned to the parameter “&redirect_uri”.

If a user has not logged onto Weibo and clicks the URL ([1]) above, the same situation will happen upon login.

After acceptance of third-party application:

A logged-in Weibo user would no longer be asked for consent and could be redirected to a webpage controlled by the attacker when he/she clicks the URL ([1]).

For a user who has not logged in, the attack could still be completed after a pop-up page that prompts him/her to log in.

(2.1.1) Weibo would normally allow all the URLs that belong to the domain of an authorized third-party website. However, these URLs could be prone to manipulation. For example, the “&redirect_uri” parameter in the URLs is supposed to be set by the third-party websites, but an attacker could change its value to make Attacks.

Hence, a user could be redirected from Weibo to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site unwillingly. This is as if the user is redirected from Weibo directly. The number of Weibo’s OAuth 2.0 client websites is so huge that such Attacks could be commonplace.

Before acceptance of the third-party application, Weibo’s OAuth 2.0 system makes the redirects appear more trustworthy and could potentially increase the likelihood of successful Open Redirect Attacks of third-party website.

Once the user accepts the application, the attackers could completely bypass Weibo’s authentication system and attack more easily.

Used one of webpages for the following tests. The webpage is “https://biyiniao.wordpress.com/“. We can suppose it is malicious and contains code that collect sensitive information of both third-party app and users.

Covert Redirect is a class of security bugsdisclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.

Covert Redirect is also related to single sign-on, such as OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well.